‘Quadrooter’ is a group of four vulnerabilities affecting specific Android devices leveraging the Qualcomm chipset and associated driver code. These four vulnerabilities are a small part of the 36 vulnerabilities reported from the same class of bug (privilege escalation) for the same vendor (Qualcomm) that were fixed as part of August 5th Android Nexus monthly security bulletin. The vulnerabilities reside in the embedded software running the graphics driver. The graphics driver has privileged access to other processes on your device making this an interesting target for attackers.
Per the POC shared with Google for this exploit, Zimperium customers will detect and provide detailed forensics for this attack without requiring an update. The Zimperium solution continuously monitors for anomalous behaviour using our proprietary z9 technology to detect mobile attacks whether from local escalation of privileges, attacks over Wi-Fi networks or malicious applications.
What is in Quadrooter?
The four vulnerabilities defined as ‘Quadrooter’ are:
- CVE-2016-2503 – The Qualcomm GPU driver in Android before 2016-07-05 on Nexus 5X and 6P devices allows attackers to gain privileges via a crafted application…
- CVE-2016-2504 – The Qualcomm GPU driver in Android before 2016-08-05 on Nexus 5, 5X, 6, 6P, and 7 (2013) devices allows attackers to gain privileges via a crafted application…
- CVE-2016-2059 – … in the IPC router kernel module for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify that a port is a client port, which allows attackers to gain privileges or cause a denial of service…
- CVE-2016-5340 – … Android patch for the Linux kernel 3.x mishandles pointer validation within the KGSL Linux Graphics Module, which allows attackers to bypass intended access restrictions by using the /ashmem string as the dentry name.
Two of the above CVEs, CVE 2016-2503 and CVE 2016-2504, are addressed in Google’s Android Security Bulletins for July and August of 2016. Google reports they do not have any reports of active customer exploitation of abuse of these reported issues. The latter CVEs mentioned, 2059 and 5240, have been fixed but a patch update is still pending.
Interestingly, there is a remote code execution vulnerability in the same security bulletin mentioning the Quadrooter vulnerabilities. The remote code execution vulnerabilities are much more severe since they don’t require initial code execution to your device. In the August bulletin there are 32 other local privilege escalation vulnerabilities in the same vendor.
In the August Security bulletin many privilege escalation bugs are documented. From an initial investigation of the August 2016 security bulletin, we found the following vulnerabilities to be of higher risk as they affect a broader range of devices and are not solely dependent on usage of the Qualcomm chipset.
- Kernel remote code execution – CVE-2014-9902
- RCE in Conscript – CVE-2016-3840
- RCEs in MediaServer – CVE-2016-3819, CVE-2016-3820, CVE-2016-3821
- And RCE in Libjhead – CVE-2016-3822
- And multiple information disclosure bugs
Some of the most popular Android devices found on the market today use these chipsets, including:
- BlackBerry Priv
- Blackphone 1 and Blackphone 2
- Google Nexus 5X, Nexus 6 and Nexus 6P
- HTC One, HTC M9 and HTC 10
- LG G4, LG G5, and LG V10
- New Moto X by Motorola
- OnePlus One, OnePlus 2 and OnePlus 3
- Samsung Galaxy S7 and Samsung S7 Edge
- Sony Xperia Z Ultra
What do you need to do to be safe from Quadrooter?
SoftFunda continues to recommend to follow these best practices to help keep Android devices safe from attacks:
- Download and install the latest Android updates as soon as they become available. These include important security updates that help keep your device and data protected.
- Understand the risks of rooting your device – either intentionally or as a result of an attack.
- Examine carefully any app installation request before accepting it to make sure it’s legitimate.
- Avoid side-loading Android apps (.APK files) or downloading apps from third-party sources. Instead, practice good app hygiene by downloading apps only from Google Play.
- Read permission requests carefully when installing any apps. Be wary of apps that ask for permissions that seem unusual or unnecessary or that use large amounts of data or battery life.
- Use known, trusted Wi-Fi networks or while traveling use only those that you can verify are provided by a trustworthy source.
- End users and enterprises should consider using mobile security solutions designed to detect suspicious behavior on a device, including malware that could be obfuscated within installed apps.
- Use a personal mobile security app that monitors your device for any malicious behavior.
Hope this article was helpful to all. Stay connected with us and don’t forget to share this post on social media.